在python / scapy中对流量进行采样
[英]Sampling traffic in python/scapy
问题描述
i'm currently looking to implement a basic traffic sampler using python and I'm wondering how to efficiently implement the sampler interval between each capture. 
我目前正在寻求使用python实现基本的流量采样器,并且想知道如何有效地实现每次捕获之间的采样器间隔。 I am not using sFlow as I want to sample traffic on my NIC. 我没有使用sFlow,因为我想对NIC上的流量进行采样。
I have looked at scapy but it seems that it does not provide a sampling feature. 我已经查看过漏斗,但似乎它没有提供采样功能。 Therefore, in the processing function attached to sniff (eg sniff(prn=XXX) ) should I implement myself a timer to check if a packet should be specifically processed ? 因此,在附于sniff的处理函数中(例如sniff(prn = XXX)),我应该为自己实现一个计时器来检查是否应专门处理数据包吗?
Otherwise, I have an idea with the following code (basic example): 否则,我对以下代码(基本示例)有所了解:
#Packet sniffer in python
#For Linux
import socket
#create an INET, raw socket
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP)
# receive a packet
while True:
sleep(1) # Timer ?
print s.recvfrom(65565)
I've looked in the socket creation as well but didn't find any suitable answer. 我也查看过套接字的创建,但是没有找到合适的答案。
My question is, what is the most efficient, performance-wise, way to capture and sample traffic on a network interface ? 我的问题是,在网络接口上捕获和采样流量的最有效,性能最佳的方法是什么?
1 个解决方案
解决方案1
0 2018-11-30 15:52:52
Well first of all, if you are going to have a delay/timer you need to import time or if you are using just sleep(n) to do from time import sleep . 好吧,首先,如果您要使用延迟/计时器,则需要import time或者如果您只是使用sleep(n)来执行from time import sleep 。 Secondly, it's my personal opinion that timers aren't really the best options for sniffing packets. 其次,我个人认为计时器并不是嗅探数据包的最佳选择。 Especially if you are filtering/looking for certain types of packets. 特别是如果您要过滤/查找某些类型的数据包。 Also to get any relevant details of a raw packet, you need to deconstruct it. 另外,要获取原始数据包的任何相关详细信息,您还需要对其进行解构。 The struct module in python is probably best for that and you need to know how to extract data from certain received packets. python中的struct模块可能是最好的选择,您需要了解如何从某些接收到的数据包中提取数据。 When receiving the packet data using s.recvfrom(65535) , this is stored in a tuple and you need to focus on the first element of this using something like: 当使用s.recvfrom(65535)接收数据包数据时,该数据存储在元组中,您需要使用类似以下内容的方法来关注数据的第一个元素:
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP)
while True:
try:
packet = s.recvfrom(65565)
packet = packet[0]
#begin to analyse and deconstruct packet data
except:
pass
Each packet of data in constructed in a way the you can extract useful information from each one of them. 每个数据包的构造方式都可以使您从每个数据包中提取有用的信息。 A simple search on how they are packed can help you on knowing how to deconstruct them and show information. 简单搜索它们的包装方式可以帮助您了解如何解构它们并显示信息。 Look into the struct module and that should set you off! 查看struct模块,这应该会使您失望! If you really need a delay for some reason, I would use a maximum of sleep(0.5) . 如果由于某种原因您确实需要延迟,那么我将使用sleep(0.5)的最大值。
For efficiency, you may want to implement threading. 为了提高效率,您可能需要实现线程化。 If your code is working fine, this wouldn't necessarily be needed but if you wanted to, you could start a thread to deconstruct a received packet WHILE your NIC is still receiving packets. 如果您的代码运行良好,则不一定需要这样做,但如果您愿意,则可以在NIC仍在接收数据包的同时启动一个线程以解构接收的数据包。 It would look SOMETHING like this: 看起来像这样:
import socket
import thread
def deconstructPacket(packet):
#code to deconstruct packet
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP)
while True:
try:
packet = s.recvfrom(65565)
packet = packet[0]
thread.start_new_thread(deconstructPacket, packet)
except:
pass #or handle any errors
I hope this helped!!! 希望对您有所帮助!!!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.